Fake CAPTCHA pages used to distribute infostealer malware
- Security researchers discover campaign to spread Lumma Stealer malware
- A fake CAPTCHA page comes with a JavaScript that copies malicious code to the clipboard
- To ‘solve’ the fake CAPTCHA, users are asked to paste the code into CMD and run it
Fake CAPTCHA pages are used to trick victims into downloading and running Lumma infostealer malware.
Security researchers at Guardio Labs recently discovered a major malicious operation targeting millions of people called “DeceptionAds”.
The campaign abuses two legitimate services, the Monetag ad network and BeMob, a cloud-based performance tracking platform. It starts with fake ads, which promote things that appeal to the host site’s audience, such as fake offers, downloads or various services – with pirate streaming and software platforms apparently among the most common themes.
Vane Viper
When the victim clicks on the ad, he is redirected to a fake CAPTCHA page via the BeMob cloaking service. This makes moderation difficult, as BeMob is a legitimate service and as such is not removed from the Monetag advertising network by default.
“By adding a benign BeMob URL to Monetag’s ad management system instead of the direct fake captcha page, the attackers leveraged BeMob’s reputation, complicating Monetag’s content moderation efforts” , says Nati Tal, head of Guardio Labs, in an article.
The CAPTCHA page comes with a piece of JavaScript code that copies a malicious one-line PowerShell command to the clipboard. However, the victim still has to paste that code into the CMD and run it, which is where the CAPTCHA ‘solution’ comes into the picture. To solve the CAPTCHA, users need to open the Windows Run dialog box and press CTRL+V (paste ), then press Enter.
This will run the command that downloads and runs Lumma Stealer. The group behind the attack is called Vane Viper.
Lumma is a popular info stealer in the underground community. It is capable of stealing a wide range of sensitive information, including cryptocurrency wallets, browser data, email data, financial information, FTP client data, and system information.
When Monetag and BeMob were made aware of the campaign, both companies stepped in to address the issue. Monetag deleted 200 accounts, while BeMob ended the campaign within four days.
Via BleepingComputer